Tuesday 8th of October SAP released 7 new security patches and 1 update to an already released patch.
Any software application demands continuous patching, also SAP enterprise solutions. SAP applications are processing your most valuable data assets and shall be protected, run stable, comply with regulations, and have to be secured against internal and external cyber threats. This October patch day also ships an update to a previously released patch, which confirms patching is never a fully completed task. Even with meticulous housekeeping, full compliance is rarely achieved.
We have created technology to enable effective and intelligent patching, by providing realtime actionable intelligence across applications and custom code, for which there are no available commercial patches.
With realtime detection, vulnerabilities can be mitigated before any harm is done, and patching can be simple, accurate and compliant.
GDPR demands a close watch on any vulnerability that may allow unauthorized access to personal data. Therefore special attention for the medium severity patch dealing with Email management in SAP CRM, SNOTE 2751806. On unpatched instances the vulnerability could allow an attacker to extract system information as well as the information stored on the server.
The patch SNOTE 2786151 dealing with a Denial of service (DOS) vulnerability in SAP Kernel (RFC), SAP GUI for Windows and SAP GUI for Java received an update.
Summary by Severity
|2826015||[CVE-2019-0379] Missing Authentication Check in AS2 Adapter of B2B Add-On for SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration (AS2 Adapter), Versions - 1.0, 2.0
|2828682||[CVE-2019-0380] Information Disclosure vulnerability in SAP Landscape Management Enterprise
Product - SAP Landscape Management enterprise edition, Version - 3.0
|2792430||[CVE-2019-0381] Binary Planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering
Product - SAP IQ, Version - 16.1
Product - SAP SQL Anywhere, Version - 17.0
Product - SAP Dynamic Tiering, Version - 1.0, 2.0
|2751806||[CVE-2019-0368] Cross-Site Scripting (XSS) vulnerability in Customer relationship management (Email management)
Product - SAP Customer Relationship Management (Email Management), Versions - S4CRM 100, 200; BBPCRM 700, 701, 702, 712, 713, 714
|2817945||[CVE-2019-0374] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)Additional CVE IDs - CVE-2019-0375, CVE-2019-0376, CVE-2019-0377, CVE-2019-0378
Product - SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), Versions - 420, 430
|2806403||[CVE-2019-0370] Multiple Vulnerabilities in SAP Financial ConsolidationAdditional CVE ID - CVE-2019-0369
Product - SAP Financial Consolidation, Versions - 10.0, 10.1
|2786151||Update to Security Note released on September 2019 Patch Day:[CVE-2019-0365] Denial of service (DOS) in SAP Kernel (RFC), SAP GUI for Windows and SAP GUI for Java
Product - SAP Kernel (RFC), Versions - KRNL32NUC, KRNL32UC and KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73 and KERNEL 7.21, 7.49, 7.53, 7.73, 7.76
|2805777||[CVE-2019-0367] Missing Authorization Check in B2B Content Manager of B2B Add-On for SAP NetWeaver Process Integration
Product - SAP NetWeaver Process Integration (B2B Toolkit), Versions - 1.0, 2.0